The infra lead enrolls TOTP seeds for the AWS root account and the DNS provider, each under a critical infrastructure policy.
The policy names the requestor group, an approver group, an approval threshold, and a 1 hour access window.
A requestor asks for access with a short note (rotation needed for production keys). The request carries device details and geolocation.
Every approver gets a push notification showing the requestor, device, location, and note. Approval triggers a biometric check and response signing.
Castle blocks self approval structurally: the requestor’s own approval never counts toward the threshold.
On approval, the enclave generates a scoped window of codes encrypted to the requestor’s device. Every display is timestamped in the audit log.
Requestor group, approver group, threshold, and window. The two person rule becomes configuration, not culture.
Real time notifications with requestor context; one tap approve or deny, signed and verified by the backend.
Enforced by the access service, not convention. The requestor cannot satisfy their own threshold.
The stateless control plane: validates policy conditions, persists pending requests, coordinates the enclave.
Requests, approvals, denials, and every code display, with actor, device, and time, exposed to the admin console.
The failure mode this kills: root 2FA locked in a password manager two people can access, both of whom might be offline or gone.
Auditors get what they actually ask for: who accessed the root account, when, approved by whom, from where.
Approvals are signed on device with a biometric step, so a compromised laptop cannot silently grant access.
The access window bounds exposure: codes exist for the approved hour and purge from the device after.
Walk through the trust model, policy design, and rollout with our security and solutions team.